From general-return-20046-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org Fri Oct 03 16:55:45 2008
Return-Path:
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 18994 invoked from network); 3 Oct 2008 16:55:45 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
by minotaur.apache.org with SMTP; 3 Oct 2008 16:55:45 -0000
Received: (qmail 74422 invoked by uid 500); 3 Oct 2008 16:55:42 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 74246 invoked by uid 500); 3 Oct 2008 16:55:41 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 74235 invoked by uid 99); 3 Oct 2008 16:55:41 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2008 09:55:41 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of robertburrelldonkin@gmail.com designates 72.14.220.153 as permitted sender)
Received: from [72.14.220.153] (HELO fg-out-1718.google.com) (72.14.220.153)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2008 16:54:39 +0000
Received: by fg-out-1718.google.com with SMTP id l26so1167733fgb.26
for ; Fri, 03 Oct 2008 09:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to
:subject:in-reply-to:mime-version:content-type
:content-transfer-encoding:content-disposition:references;
bh=BL9zf99f2vTShW9LwTkI1su1x9qqca6qBbDhPwzrV9E=;
b=o99HS6nbH2qFuxADwBGybb4mib6xMJViTePQYQexChrcRunTQn+vpxhYTobo7kN2fs
QcO5DIp1fgfFh+vefowimG98h67V/EI19fSdrmZalamPLzV6N1lqG9R+yfuDZejyX0BB
NsOeMFzIfmEWtYfIzUIYBXbtPLYIHl6L45QGQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:in-reply-to:mime-version
:content-type:content-transfer-encoding:content-disposition
:references;
b=ghIO9vkdjugAyyfbOqwtnT2jsOSqLzUWMkS+zFUaVdVwQN6gUamtAuY7uMU1RsIUbg
uRP7bzuyotTYscBxwXor5smJ7CvoQDi+Kvxt4oD051MpLvuGvNHvW4J15lwEMKHRlSLU
/vMJAbA5Pj8VSSvgBzA26OyO9RmuCfcVVdBwU=
Received: by 10.180.231.20 with SMTP id d20mr979808bkh.11.1223052894232;
Fri, 03 Oct 2008 09:54:54 -0700 (PDT)
Received: by 10.181.9.9 with HTTP; Fri, 3 Oct 2008 09:54:54 -0700 (PDT)
Message-ID:
Date: Fri, 3 Oct 2008 17:54:54 +0100
From: "Robert Burrell Donkin"
To: general@incubator.apache.org
Subject: Re: status of PGP support in Maven
In-Reply-To: <1221930522.25066.161.camel@forge.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <9e3862d80809150702y7492812coa2f8f0f1deb42970@mail.gmail.com>
<1221697970.25066.26.camel@forge.local>
<14976D4F-CEEB-41D7-B1AE-1A703E14462B@SUN.com>
<5c902b9e0809191011u72e8b83arfd6e49c5fc202214@mail.gmail.com>
<1221930522.25066.161.camel@forge.local>
X-Virus-Checked: Checked by ClamAV on apache.org
On Sat, Sep 20, 2008 at 6:08 PM, Henning Schmiedehausen
wrote:
> On Sat, 2008-09-20 at 10:08 +0100, Robert Burrell Donkin wrote:
>> On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz
>> wrote:
>> > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino wrote:
>> >> How about we include the signatures in the source distros? That way
>> >> if you trust your source, then you can trust the dependencies it
>> >> downloads.
>> >
>> > Eww. That'd be a giant gaping security hole.
>>
>> not necessarily, depends how it's done
>>
>> signing works through trusting the people who own the keys. given
>> sufficient signaturees (to prevent small conspiracies), where the
>> signatures are downloaded from shouldn't matter.
>
> Hiram suggested to put the signatures into the source, which in turn is
> also distributed from the repo. If you compromise the repo and change
> the artifact, it is trivial to update the source artifact to contain a
> matching signature.
AIUI it is not sufficient to gain access to the source. forging a
signature without the private key is not feasible.
therefore, a feasible attack means using a private key trusted to sign
incubator releases that has been unknowingly compromised or using a
rogue incubator release manager. it should be possible to provide
defense against these attacks by using signatures from a sufficient
number of keys.
> This is a security hole. And I don't really care for some of the
> proposed "high nineties" security solutions. Either a solution is secure
> or it is not. Everything else is just FUD.
public key cryptography cannot guarantee absolute security. security
measure only protect against particular attack vectors. no solution is
toyally secure.
IMHO the best approach is defense in depth with good protection
against all known attack vectors
> The problem with the central repo is that you need an easy accessible
> web of trust if you want validation. The Apache web of trust is
> distributed and an overlay to the GPG web of trust. But if you live in
> Juneau, Alaska, it is hard for you to access it and get a trust
> relationship to it.
WOT is about personal identity and is not role based. the apache WOT
allows other members to trust that the owner of the private key is in
fact the 'Robert Burrell Donkin' listed in the members list.
release validation is quite a different notion of trust. just because
a release has been signed by someone called 'Robert Donkin' does not
mean that it can be trusted. perhaps it is some other individual or
perhaps i signed something with another key rather than my 'CODE
SIGNING KEY'.
what is required is a role-based notion of trust: that a particular
key is trusted to sign incubator releases for a particular podling.
this does not require a link through the WOT.
having said all that, i believe that apache as an organisation
*really* needs a better WOT so that *we* can verify our own releases.
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org